You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2012/03/12 22:03:23 UTC

DO NOT REPLY [Bug 52892] New: Require expr and %{REMOTE_USER}

https://issues.apache.org/bugzilla/show_bug.cgi?id=52892

             Bug #: 52892
           Summary: Require expr and %{REMOTE_USER}
           Product: Apache httpd-2
           Version: 2.4.1
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authz_core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: registration@blackdot.be
    Classification: Unclassified


(May have mislabled the compenent, not sure if it is in authn_core or
authz_core)

What I'm trying to do:
|                <RequireAll>
|                        Require ssl-verify-client
|                        Require valid-user
|                        Require expr ( \
|                                        (%{SSL_CLIENT_S_DN_O} == "Company") &&
\
|                                        (%{SSL_CLIENT_S_DN_OU} == "Staff") &&
\
|                                        (%{REMOTE_USER} ==
%{SSL_CLIENT_S_DN_CN}) \
|                                     )
|                </RequireAll>

Need valid Client Cert + Login, login needs to be the CN of the certificate.

What I expect to happen: this should work
What I see: %{REMOTE_USER} is empty!
> The expression parser provides a number of variables of the form %{HTTP_HOST}. Note that the value of a variable may depend on the phase of the request processing in which it is evaluated. For example, an expression used in an <If > directive is evaluated before authentication is done. Therefore, %{REMOTE_USER} will not be set in this case.

It's noted in the docs it can be empty... however:
| Require user hardcodeduser

Works fine... the information seems to be available at this stage.
So why isn't it exported.

For Comepleteness:
I also tried "Require user %{SSL_CLIENT_S_DN_CN}" but that didn't work... I
wasn't expecting it to work though.

I don't think what I'm trying to do is unreasonable, if there is a way to do
it, it would be awesome.

Hopefully this is really a bug and not a limitation!

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 52892] Require expr and %{REMOTE_USER}

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=52892

--- Comment #2 from Jorge Schrauwen <re...@blackdot.be> 2012-03-13 17:33:47 UTC ---
(In reply to comment #1)
> The require statements are actually executed twice, once before auth and once
> after auth. Auth is only triggered if a Require statement says that its result
> may change after auth and the change of this statement would actually make a
> difference in the end result. However, Require expr currently lacks the
> necessary logic for this.
> 
Will it support it in the future?

> You could try (untested):
> 
> <RequireAll>
>   Require ssl-verify-client
>   Require valid-user
>   <RequireAny>
>     Require user workaround_for_PR_52892
>     Require expr ...
>   </RequireAny>
> </RequireAll>
> 
> Then the Require user would trigger auth. Of course, workaround_for_PR_52892
> must not exist as a user or you have a security problem.

I've tested it and it works!
cert for user1 with user2 as login --> fail
cert for user1 with user1 as login --> success

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 52892] Require expr and %{REMOTE_USER}

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=52892

Stefan Fritsch <sf...@sfritsch.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |FixedInTrunk

--- Comment #4 from Stefan Fritsch <sf...@sfritsch.de> ---
fixed in trunk as r1351072

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 52892] Require expr and %{REMOTE_USER}

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=52892

Rainer Jung <ra...@kippdata.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #5 from Rainer Jung <ra...@kippdata.de> ---
Fixed for 2.4 in r1364266.
Released with 2.4.3.
Does not apply to 2.2.x.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 52892] Require expr and %{REMOTE_USER}

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=52892

--- Comment #1 from Stefan Fritsch <sf...@sfritsch.de> 2012-03-13 07:44:36 UTC ---
The require statements are actually executed twice, once before auth and once
after auth. Auth is only triggered if a Require statement says that its result
may change after auth and the change of this statement would actually make a
difference in the end result. However, Require expr currently lacks the
necessary logic for this.

You could try (untested):

<RequireAll>
  Require ssl-verify-client
  Require valid-user
  <RequireAny>
    Require user workaround_for_PR_52892
    Require expr ...
  </RequireAny>
</RequireAll>

Then the Require user would trigger auth. Of course, workaround_for_PR_52892
must not exist as a user or you have a security problem.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 52892] Require expr and %{REMOTE_USER}

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=52892

--- Comment #3 from Stefan Fritsch <sf...@sfritsch.de> 2012-03-13 19:30:37 UTC ---
(In reply to comment #2)
> > However, Require expr currently lacks the
> > necessary logic for this.
> > 
> Will it support it in the future?

yes

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org